This is the kind of story that perfectly captures why “open source” != “freedom.”
You can run 100% FOSS software and still be completely imprisoned if you give control to a middleman.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk.
If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
I disagree that you can’t own something that isn’t physically controlled by you. Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
What’s really important is the laws and regulations governing ownership. Ownership in a modern society is nearly entirely a legal construct. Ownership of data shouldn’t be any different.
> I think people would be outraged if someone told them it belonged to the bank.
You might find it interesting to read about 2013 Cyprus bank levy then. The government unilaterally raided people's savings accounts, taking between 6.75% and 10% as a one-off tax with essentially no warning. When you put money in the bank you are implicitly accepting the (small but real) risk that the government will come along and say "I'm having some of that" and there's nothing you can do about it.
More anecdotally, I once had to help a family friend sue a bank for several tens of thousands of pounds in the UK because they refused to pay him back his balance when he closed the account and refused to explain the reason. It took a little over 6 months to get the money back. While researching the case, I discovered countless other cases in which businesses had gone bankrupt because of delays in recovering their money from the bank. Under UK legislation, banks can and do do this if they have "suspicions" of money laundering (which can be triggered for any reason whatsoever - the suspicion doesn't have to be reasonable). Not only do they not have to explain to the customer what those suspicious are, they are legally required not to. They can hold onto your money for up to 31 days and this can be extended to up to 6 months by a court order after a hearing which you will be excluded from and likely not even know took place until after the fact.
Legally you do not own your money in the bank. Instead you own a "chose in action" (https://en.wikipedia.org/wiki/Chose) which is the right to sue the bank for the money. Although it sounds similar to outright ownership, it's not the same thing.
The government could also tax you an extra $5000 out of nowhere by pushing a law through. That levy happened to go for bank accounts but the general concept isn't tied to whether your money is stored personally.
Freezes are a big problem but they don't get to keep it. The delay is the problem, not a transfer of ownership.
Nonetheless, there's a fundamental legal difference between ownership (e.g. of the notes and coins in your pocket) and a chose in action (the right to sue the bank for the money which you don't own).
If you own something and someone withholds it from you, in the general case that's theft. Because theft is a criminal offence, people generally won't risk doing it. With a chose in action, you have to sue in a civil court for damages. In the meantime, the bank might go bust, you might lose your case, you may give up without even going to court because the amount they've kept isn't worth the time and legal costs of recovery.
You've probably heard the phrase "possession is 9/10ths of the law". If the government introduces a no-warning one-time $5000 levy, they still have to recover the money from you. The effort of doing so is on them and they have the burden of proof. Maybe they will, maybe they won't. Maybe you'll decide to leave the country before the legal process concludes. These are some of the advantages of ownership.
When the money is in the bank, the bank and the government can simply agree (without a court's involvement) that you owe the $5000 and there is nothing you can do other than try to sue the bank (and likely lose) because you never owned the money in the first place. The burden of proof shifts to you and it's unlikely you'll ever see that money again.
> I disagree that you can’t own something that isn’t physically controlled by you.
We're not talking about "something" in general, but about digital infrastructure.
> Almost all of us have money which is not kept on our persons or property, in banks and investments. I think people would be outraged if someone told them it belonged to the bank.
A better analogy is if you have a cryptocurrency wallet managed by Coinbase. You don't own. And they can in fact suspend your account (and probably take your crypto) if they don't like you.
I’m not sure that analogy contradicts ownership. Physical assists can be seized or stolen also (if Deloitte’s AI doesn’t like you) but it doesn’t negate the concept of ownership of those
Maybe possession would be a more accurate legal term? You can own something that isn’t in your possession (eg might have been loaned, stolen, etc) or possess something that you don’t own (eg the other side of the transaction)
> If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.
Quite true, but the choice is nearly never between an agency letting someone else own the data and owning it themselves. The idea of switching in one fell swoop from a labyrinth of duplicative, proprietary SaaS/hosted systems to self-managed open source is a fantasy for all agencies. Even if we take that as the goal (not necessarily something I agree with), nobody can get there in a single migration/political season/anything short of years.
Rather, the near-term choice is between who and how many parties own the data. Do you work with a stack of midsize cloud resellers, each of which has questionable quality and a lot of experience maximizing government revenue via advantageous connections and contracts? Or do you work with one of the hyperscaler clouds--higher quality, less specifically designed to exploit gov (I said less, GovCloud, now get your hands out of my wallet!), slightly more friendly to "build what you want how you want" approaches?
Neither of those approaches lets you take ownership of your servers/data/contracts fully. But the latter moves you closer to that ideal; the former does not.
The company in this story didn’t just sell “support”, they sold permission. They took something open, wrapped it in contracts, lock-ins, and managed-service handcuffs, and then claimed ownership of it. That’s the new vendor lock-in model: control the interface, not the code.
The chilling part isn’t that they could read customer emails, it’s that they thought it was normal. Somewhere between “managed service” and “surveillance,” the moral line vanished, replaced by legalese.
This story should be printed and taped above every government IT procurement desk. If you don’t own your servers, your keys, and your contracts, you don’t own your data, no matter how “open” the stack is.